Government Attorneys Agree With EFF: New 'Counterterrorism' Database Rules Threaten Privacy of Every American

Last week, the Wall Street Journal reported on how a little-known government agency—the National Counterterrorism Center (NCTC)—got the keys to government databases full of detailed, personal information of millions of innocent Americans. Using the Freedom of Information Act and interviews with officials, the Journal obtained emails and other information detailing how the massive new spying program, which the Attorney General signed off on in March, was approved by the White House in secret—over strenuous objections from government privacy lawyers.

Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans "reasonably believed to constitute terrorism information" may be permanently retained.

Journalist Marcy Wheeler summed the new guidelines up nicely in March, saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”

Ironically, this civil liberties debacle apparently was a response to the attempted 2009 Christmas “underwear” bombing by Umar Farouk Abdulmutallab. As the ACLU observed, however, “Abdulmutallab wasn’t a U.S. citizen, and collecting information on him wasn’t a problem. Instead, his own father had identified him to the U.S. government as a potential terrorist. In short, an attack by a known foreign terror suspect was used to justify changes to rules about collecting information on U.S. citizens.”

The Privacy Act is supposed to limit the ability of the U.S. government to collect and maintain detailed data about ordinary citizens. Among other restrictions, it prohibits agencies from maintaining personal information unless it is “relevant and necessary” for a specific purpose. But thanks to a loophole in the law, federal agencies can issue public notices to the Federal Register, and attempt to skirt those rules entirely, thereby opening the door to arbitrary and unnecessary data collection.

As Mary Ellen Callahan, the chief privacy officer of the Department of Homeland Security unsuccessfully argued at the time, "This is a sea change in the way that the government interacts with the general public." Another former senior White House official called the program “breathtaking” in scope.

According to the Journal’s investigation, the debate over the program’s potential privacy violations sparked a “heated” and “testy” debate in the Justice Department, Department of Homeland Security, and the White House. A DHS lawyer complained via email that the advocates of the program were providing "complete non-sequiturs" and "non-responsive" examples. Ultimately, privacy lost.

Of course, it’s unclear whether the data-mining operation even works:

At the Department of Justice, Chief Privacy Officer Nancy Libin raised concerns about whether the guidelines could unfairly target innocent people, these people said. Some research suggests that, statistically speaking, there are too few terror attacks for predictive patterns to emerge. The risk, then, is that innocent behavior gets misunderstood—say, a man buying chemicals (for a child's science fair) and a timer (for the sprinkler) sets off false alarms.

Just like EFF did in March, the Journal compared the new NCTC program to the notorious “Total Information Awareness” surveillance program proposed by Admiral John Poindexter in 2002. As the New York Times explained, Poindexter “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.” Congress was so alarmed by the potential invasion to innocent Americans’ privacy that they defunded it in 2003.

What the Journal did not mention, however, is that even the NCTC’s best-known database—the Terrorist Identities Datamart Environment, or TIDE—is already fraught with problems. “TIDE contains more than 500,000 identities suspected of terror links,” explained the Journal. “TIDE files are important because they are used by the Federal Bureau of Investigation to compile terrorist ‘watchlists.’”

But according to an unusually blunt Senate investigation of so-called “fusion centers” released last month, the TIDE database is also full of information of innocent people that have nothing to do with terrorism. The report gave examples of: a TIDE profile of a person whom the FBI had already cleared of any connection to terrorism, a TIDE profile of a two-year old-boy, and even a TIDE profile of Ford Motor Company.

Indeed, the data-mining expansion seems like a horrible, self-fulfilling prophecy. As the Journal noted, the underwear bomber incident led President Obama to order agencies to send all their leads to NCTC, and to order NCTC to "pursue thoroughly and exhaustively terrorism threat threads." Predictably, NCTC was flooded with terror tips, creating a huge backlog that NCTC couldn’t process within the original time limits. NCTC then predictably sought to retain more data longer.

Congress needs to stop this vicious cycle. It should investigate the new NCTC guidelines and the government’s overall data-collection and data-mining practices. And it should take a look at closing loopholes in the Privacy Act, too.

Related Updates

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program. As we’ve written ...

San Francisco, California—Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) ...

It should not be surprising that arguably the biggest mistake in Internet policy history is going to invoke a vast political response. Since the FCC repealed federal Open Internet Order in December, many states have attempted to fill the void. With a new bill that reinstates net neutrality protections, Oregon...

Last month, Congress reauthorized Section 702, the controversial law the NSA uses to conduct some of its most invasive electronic surveillance. With Section 702 set to expire, Congress had a golden opportunity to fix the worst flaws in the NSA’s surveillance programs and protect Americans’ Fourth Amendment rights...

President Donald Trump’s first State of the Union address last night was remarkable for two reasons: for what he said, and for what he didn’t say. The president took enormous pride last night in claiming to have helped “extinguish ISIS from the face of the Earth.” But he failed to...

State agencies in California are collecting and using more data now than they ever, and much of this data includes very personal information about California residents. This presents a challenge for agencies and the courts—how to make government-held data that’s indisputably of...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...